Is this real business logic flaw?
While testing a domain, it offers a variety of contests to participate in, but the user must enter italian id to claim money after winning. When entering the contest, it asks you to enter the address, phone and italian tax id, after adding these, it uses italian id to check whether this user is already participated using another account. Here is the issue. I didn't verify the italian id and I was successfully contested and i lost, it is not an issue here, the real issue is I am able to change my italian id, anytime using the past request, and also I can create thousands of accounts with fake italian ids to participate in the contest. This has an impact on business right?. Even though fake italian id, cant get actual money(assumption) if the fake id won, then the fairness of the contest is broken here right? It didn't verify the italian id during the contest and after the contest too. After completing the contest, I got lost, and I had 2 more chances. Legitimate accounts have 3 tries. That's all I think. Any triager or hacker suggests me? Can I submit this?